🌐 🇵🇱 Polski · 🇬🇧 EN
If you provide SSH login access in a Linux environment, it is good practice to control who can access your server and from where. We can specify which users are allowed to log in via SSH and from which subnets or specific hosts such access is permitted. To achieve this, we will use the capabilities provided by TCP Wrappers and user account configuration in the /etc/passwd file. We will also configure access control using the IPTABLES system firewall. The access control methods presented here also apply to other services where the operating principle is the same. Differences may apply to services that do not work with TCP Wrappers, e.g., samba. More about iptables.
BLOCKING SSH ACCESS USING TCP WRAPPERS
TCP Wrappers work by replacing the service program with a simple program called tcpd, which forwards the connection to the actual service only after verifying the connecting client. When a connection is attempted, TCP Wrapper can:
- check if DNS entries corresponding to IP addresses match the hostnames,
- check if the client has access rights in the access control files: /etc/hosts.allow and /etc/hosts.deny,
- use the ident protocol to verify the identity of the connecting user,
- log appropriate information to system logs,
- execute any command or script,
- pass control to the actual network daemon.
hosts.allow and hosts.deny
Based on the file names, we can infer their roles: hosts.allow contains a list of computers that have access rights to specific network services, and hosts.deny contains those that do not. The hosts.allow file is checked first, followed by hosts.deny. Since tcpd stops at the first matching entry, a host found in the first file will be granted access, even if it is also listed in the second file.
The format of individual entries in both files is the same:
lista-usług : lista-komputerów [: polecenie]
- service-list is a comma-separated list of service names or ALL,
- host-list is a comma-separated list of computer names, domain names, IP addresses, network addresses, and network groups; you can use ALL, EXCEPT, LOCAL (local names, i.e., those without dots), PARANOID (only in hosts.deny, meaning all computers whose name does not match their address),
- an optional command is executed every time a pattern match occurs.
Example commands:
- spawn - executes a command (as a new process)
- twist - executes a command instead of the requested service
- banners - displays text from a file to the client
- setenv - sets an environment variable for the process runtime environment
More details can be found in man hosts_allow and man 5 hosts_access.
Example :
If we want to allow SSH access only for the host with the address 192.168.0.50, we add the appropriate entries to the /etc/hosts.allow and /etc/hosts.deny files.
To the hosts.allow file, we add:
sshd: 192.168.0.50
To the hosts.deny file, we add:
sshd: ALL
Such entries will block login attempts to the server from machines other than the host with the address 192.168.0.50.
BLOCKING SSH ACCESS USING IPTABLES
To allow access to the SSH service only for a selected host or subnet, we can use iptables firewall rules. For the SSH service, these rules concern port 22.
Who should have access?
To allow SSH access for a selected host, e.g., with IP address 192.168.0.50, we add the entry:
iptables -I INPUT -m tcp -p tcp --dport 22 -s 192.168.0.50 -j ACCEPT
The -s 192.168.0.50 switch specifies the source from which traffic will be allowed to the server.
Next, we save the settings and restart the iptables firewall service:
# service iptables save
# service iptables restart
You should also remember to remove the default rule:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
This rule allows SSH access from any host.
Who should not have access?
If we want to eliminate any host or subnet from which one can access the server using SSH, we can add firewall rules in the form of:
iptables -I INPUT -m tcp -p tcp --dport 22 -s 192.168.0.14 -j REJECT
# service iptables save
# service iptables restart
This entry results in rejecting packets coming from the host with the address 192.168.0.14, preventing it from accessing the server. Upon attempting to log in, the user will see:
# ssh 192.168.0.12
ssh: connect to host 192.168.0.12 port 22: Connection refused
Instead of individual IP addresses, we can also provide subnet addresses in the form of:
-s 192.168.0.0/24
More about iptables can be read: here.
BLOCKING SSH ACCESS FOR A LOCAL USER
To block access to the system shell for a selected user, simply modify their entry in the /etc/passwd file
nosshuser:x:500:501::/home/nosshuser:/sbin/nologin
user1:x:501:502::/home/user1:/bin/bash
The snippet from the /etc/passwd file shows two users, where the user "nosshuser" does not have the ability to log in to the server using SSH, as indicated by the entry:
/sbin/nologin

Comments